The Big Security Oversight When Using Amazon Web Services

When it comes to cloud security, many people assume that all is sound and secure as long as someone else has agreed to handle it. In fact, management and legal counsel who typically sign the service-level agreements and related contracts are often elated that security is no longer their concern – especially when an organization as reputable as Amazon is doing the work. Not so fast though!

Amazon commits to securing its underlying Amazon Web Services (AWS) infrastructure, however as they point out, the rest is up to you:

“Because you’re building systems on top of the AWS cloud infrastructure, the security responsibilities will be shared: AWS has secured the underlying infrastructure and you must secure anything you put on the infrastructure.”

I learned this first-hand during an incident response project I worked on not too long ago. My client was hosting numerous high-visibility websites in AWS for several enterprise customers. One of the websites used to have a known vulnerable page that permitted anonymous HTTP proxy requests to pass through – a common attack method of criminal hackers. The page was removed years ago but somehow it was still on a list of known HTTP proxies and people were still trying to take advantage of it. This resulted in my client’s web server receiving tens of thousands of requests per minute for this page. As you can imagine, these requests turned into a considerable denial of service (DoS) situation.

The website being attacked was kept up and running thanks to the resiliency of AWS. Amazon did what they said they’d do. Yet still, a DoS attack was being levied. Had this been SQL injection, cross-site scripting, weak passwords or any other common Web security flaw, the exploit would have still been carried out. And my client would have been responsible.

Don’t let a cloud security breach in AWS (or any other cloud provider) get to the point where you stop transacting business, risk losing customers, and, worst of all, end up with a data breach on your hands. Similar to
how the government is not going to be there to protect you when you need it most, Amazon is not necessarily going to protect you from direct attacks against the security of your websites and applications in the cloud. They never committed to doing so. It’s right there in the SLA that management signed.

Make sure you understand the true state of security of your web presence in the cloud and be prepared to respond appropriately when the time comes. No one else is going to do it for you.